Verizon’s ‘perma-cookie’: Just another example of how ISPs invade, threaten our privacy

**Update: Verizon forced ‘supercookies’ on all of their customers until March 2015, when several senators raised privacy concerns over the practice. One year later, in March 2016, Verizon agreed to a three-year consent decree and was forced to pay a $1.35 million fine after the Federal Communications Commission found the company violated the privacy of its users.**

For two years, Verizon Wireless, has been secretly altering people’s traffic by injecting a Unique Identifier Header, or UIDH, into all HTTP (web) requests. This UIDH allows advertisers to see Verizon customers’ identities as they browse unencrypted websites.

The story, which was reported in Wired and Ad Age, has security experts up in arms.

How the UIDH permacookie works

The UIDH is a unique combination of letters, numbers, and characters that identifies each Verizon Wireless customer. Let’s say you’re using your computer, smartphone, or any other device on an ISP that tracks you. As you browse the web, your device sends requests over the network to different servers on the web. Your ISP then inserts the UIDH, a unique tracking code, into each of your requests.

Since you’re the ISP’s customer, and since they run the network infrastructure, they know exactly which person made which network request, so they can match your tracking code to you. Not only does this give your ISP a lot of information about what sites you’re looking at, but it also makes it possible for other websites to track what you do online, too. Yikes.

For more, you can check out the infographic by Jonathan Mayer, a computer scientist and lawyer at Stanford who cobbled together the diagram based on information gleaned from Verizon’s patents and marketing materials.

As Mayer points out, “Whatever the merits of Verizon’s new business model, the technical design has two substantial shortcomings. First, the X-UIDH header functions as a temporary supercookie. Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required.”

This was confirmed by Verizon spokesperson Debra Lewis, who told Wired that there’s no way for users to turn off UIDHs – but that they could opt out of Verizon’s Relevant Mobile Advertising program

To find out if your ISP is giving you a UIDH, go to http://lessonslearned.org/sniff, created by Kenn White. Note that mobile Chrome and Flipboard can mask tracking beacons, so try using a different browser if you normally use those. Also, make sure you’re using cellular data (2G/3G/LTE etc.) because the UIDH only gets added on cellular data, and not on Wi-Fi.

White also believes that AT&T and Sprint are using the same sort of identifier beacons on their customers as well, so if you’re not a Verizon Wireless user, you should still be vigilant.

Always use HTTPS by using something like HTTPS Everywhere. However, this isn’t realistic as many websites don’t support HTTPS.

How about switching to other ISPs (Internet Service Providers)? While some people have floated the idea of switching wireless providers all together, the truth is that there’s no guarantee that your ISP isn’t tracking you or spying on you. Therefore, switching to a different ISP might actually mean giving a different ISP the opportunity to track you.

Bottom line: using a VPN is the best way to prevent your ISP from gathering or sharing data about you.

A VPN stops your ISP from tracking, spying on, or interfering with your Internet use by: